How Secure Is WordPress?

At Zonkey Solutions we use WordPress a lot. This online, open source website creation tool is the easiest to use and most powerful website content management system (CMS) in existence.

WordPress has been around for 15 years and powers around 30% of the top 10 million websites on the internet. Although its security has been breached on occasion, none of our WordPress maintenance customers have ever had their websites hacked – most sites that experience security breaches will not have kept the core code and plugins up to date, therefore security patches released in updates are not applied to their website.

WordPress Security

If it is really that insecure, how come world renowned names and brands such as The New York Times company, Time.com, Microsoft and The Walt Disney Company use it to power their websites, or some sections of it?

WordPress is a free and a easy to use blogging platform, which nowadays is more of a fully blown CMS. The ecosystem of plugins, themes and services built around it has made it possible for anyone with an internet connection to build and manage a website, even if they do not have a computer!

This means that many, who do not have any experience and the knowhow of what it takes to run and manage a website, have built a website. Many, who do not have IT / coding experience, have developed a plugin or a theme, and started a WordPress support agency. This ecosystem and the ease of use are the advantages WordPress has over competing solutions. Though this same advantage has also become WordPress’ biggest paint point as well.

The majority of widespread WordPress hacks we have all heard of on the news, did not happen because of an insecure WordPress web application. The majority of the attacks happened because users used weak credentials and outdated vulnerable software, even though they were notified countless time to update it.

This does not mean that the WordPress core is perfect. WordPress has had a few security vulnerabilities in the core code, but it is important to note that they were addressed as soon as they were reported. As long as issues are addressed straight away there is nothing to worry about. Every software has had its fair share of vulnerabilities, especially in its early days. I remember the days when I had to update Microsoft IIS a few times a week!

Though even though WordPress core team were already doing a good job, they still went the extra mile to help their users. They upped their game and today things are different. Even the WordPress community has learnt its lessons and in the last few years there have been a lot of development in the right direction.

Nowadays WordPress and the ecosystem around it has changed a lot:

The WordPress core development team works with security professionals to ensure all code is secure and security issues are addressed properly. Security features such as auto recommended strong passwords and encouraging the user to use a non default admin account has allowed users to have a more secure out-of-the-box WordPress website.

Plugins which have not been updated in a few months are tagged and in some cases taken offline, making users aware of the risks in using them. Many security and secure plugins and services are available

People’s idea that everything that has to do with WordPress is free has changed. Now they understand that they need to pay for professional services and software, and if their website is generating revenue they invest in it. That made it possible to have commercial plugins and services, which have also helped a lot in building a more secure WordPress ecosystem and raise security awareness in the community.

A few years ago it was almost unheard of to charge for a plugin. Though today there are thousands of premium plugins and online services. There is nothing wrong with free software, though more often than not free plugins are not well maintained because of limited resources. On the other hand, commercial projects allow the owners to invest in research and development, thus build more robust and secure products and services that better serve their users.

Should you use WordPress for your business website or next project? Definitely, and do not worry about security. The state of security of the WordPress ecosystem has improved so much that it has been years since we heard of serious hacking outbreaks, such as those of Timthumb and RevSlider.

If you have experience running a website you should not have a problem managing a WordPress website. If not, I would recommend doing some reading and recruiting professionals to assist you.

If you follow some basic rules such as the below you will not have any issues running a WordPress website:

Use strong credentials and if possible implement two-factor authentication.

Keep all your software up to date, including the web server, the operating system it is running on and the PC you use to manage your website.

Before you install a plugin do some homework. Check that it has a good reputation and is well supported.

Only install plugins that are needed. Remove all deactivated plugins, themes and other software and files that are not used on the website.

There is much more you can do to harden a WordPress installation and things can get really complex, especially on large and complex setups. Though the above is enough to get you started.